LLM driven agents that act on tools, data, and other agents now need more than allow/deny rules. A new preprint argues obligations, waivers, and conflict resolution belong in a deterministic engine outside the model.
The enterprise moment that exposes the gap is mundane. An LLM-driven agent is granted the right to provision cloud resources, query a customer record, and message a peer agent in another team. The security team writes an allow-list. Nobody writes down what the agent is obliged to do after the act: who gets notified, what gets logged, which retention policy applies, which rule wins when the privacy rule and the uptime rule collide. Production policy engines in IAM and governance have no clean way to express that half of the question, and the agents go live anyway.
That gap is the subject of a new preprint on deontic policies for agentic AI. The paper, "Deontic Policies for Runtime Governance of Agentic AI Systems," introduces a framework called AgenticRei that is built on the long-standing Rei deontic policy language, expressed in OWL, and evaluated by a logic engine that runs outside the LLM entirely. The authors' central claim is structural. Governance for agents cannot be a wrapper around the model. It has to be a deterministic evaluator on the critical path of every tool call and every agent-to-agent message.
The vocabulary matters. A deontic policy, in plain English, is a rule about what is permitted, what is prohibited, what is obliged, and when an obligation can be waived. The production policy engines most enterprises actually run, XACML, Rego, and Cedar, cover only the first two. They can answer "may this agent do X?" but not "if this agent does X, what must happen next?" That second question is exactly the one a CISO will ask after the fact, and the one a vendor demo tends to skip.
The paper lists four governance requirements the current stack does not meet: specifying permitted and prohibited actions, post-action obligations (a CISO notification, a log entry, a downstream human review), waiver conditions for standing obligations, and conflict resolution when two policies clash. AgenticRei is the authors' attempt to express all four in a single pipeline, written in OWL so the rules can be reasoned over as a domain hierarchy rather than as flat conditions, and evaluated by a high-performance logic engine that sits between the agent and the action. The same pipeline is meant to govern both tool invocations and agent-to-agent messages, with composability for the A2A protocol the paper demonstrates.
The architectural bet is the part that matters for the agentic economy. If the policy engine is on the critical path of every transaction, whoever owns that engine holds a veto over the transaction. The same structural position made card networks, not merchants, the regulated layer in payments. The preprint does not put it that bluntly, and it does not need to. The design choice is the claim. The authors are arguing, in effect, that the governance question for agentic AI is not a model-alignment question but an infrastructure-placement question, and that the answer is a deterministic evaluator the LLM cannot bypass.
The honest caveats belong in the same paragraph as the architecture. The work is a preprint, not yet a peer-reviewed venue of record. The evaluation is by worked examples rather than large-scale benchmarks, so the expressiveness claim is real but the performance claim is illustrative. The "policy engine entirely outside the LLM" claim is an architectural bet, not an empirical result, and deontic policy languages have a long history of real adoption friction around authoring cost, reasoning performance, and ontology maintenance that the paper does not deeply address. A reader who treats the framework as production-ready on the strength of the abstract is reading past the document.
What to watch next is whether the obligations half of the vocabulary starts showing up in shipping policy engines. The XACML, Rego, and Cedar communities have been here before, and OWL-based deontic reasoning is not new. What is new is the substrate: an LLM agent that acts on tools and data and coordinates with peer agents across organizational boundaries, in production, on Tuesday. The governance question just moved from "what may the model do" to "what must happen because the model did," and the policy engines shipping today do not yet answer the second half.